Puppet users - Nov 2007 - puppetrun fails: "Certificates were not trusted"

Hello all,

I''ve tried to run ''puppetrun'', but there seems
something unconfigured regarding the certificates. The reverse way (puppetd
pulls the config from puppetmasterd) works fine.

The namespaceauth.conf on the client (where puppetd runs) is configured as
follows:

[puppetrunner]
allow *.abc.net

(also tried the calling host: puppet1.abc.net)

But when I call ''puppetrun --debug --host puppet2.abc.net'' :

Failed to load ruby LDAP library. LDAP functionality will not be available
debug: puppet: Setting vardir to ''/var/opt/csw/puppet''
debug: puppet: Setting confdir to ''/etc/opt/csw/puppet''
debug: puppet: Setting logdir to ''$vardir/log''
debug: puppet: Setting genconfig to ''false''
debug: puppet: Setting statefile to ''$statedir/state.yaml''
debug: puppet: Setting ssldir to ''$confdir/ssl''
debug: puppet: Setting color to ''ansi''
debug: puppet: Setting mkusers to ''false''
debug: puppet: Setting rundir to ''/var/run/puppet''
debug: puppet: Setting statedir to ''$vardir/state''
debug: puppet: Setting syslogfacility to ''daemon''
debug: puppet: Setting setpidfile to ''true''
debug: puppet: Setting filetimeout to ''15''
debug: puppet: Setting templatedir to ''$vardir/templates''
debug: puppet: Setting factsignore to ''.svn CVS''
debug: puppet: Setting factpath to ''$vardir/facts''
debug: puppet: Setting factdest to ''$vardir/facts''
debug: puppet: Setting factsource to ''puppet://$server/facts''
debug: puppetmasterd: Setting config to
''$confdir/puppetmasterd.conf''
debug: puppetmasterd: Setting node_name to ''cert''
debug: puppetmasterd: Setting user to ''puppet''
debug: puppetmasterd: Setting manifestdir to
''$confdir/manifests''
debug: puppetmasterd: Setting masterlog to
''$logdir/puppetmaster.log''
debug: puppetmasterd: Setting masterhttplog to
''$logdir/masterhttp.log''
debug: puppetmasterd: Setting manifest to
''$manifestdir/site.pp''
debug: puppetmasterd: Setting masterport to ''8140''
debug: puppetmasterd: Setting bucketdir to ''$vardir/bucket''
debug: puppetd: Setting puppetport to ''8139''
debug: puppetd: Setting localconfig to ''$confdir/localconfig''
debug: puppetd: Setting classfile to ''$confdir/classes.txt''
debug: puppetd: Setting server to ''puppet1''
debug: puppetd: Setting puppetdlog to ''$logdir/puppetd.log''
debug: puppetd: Setting httplog to ''$logdir/http.log''
debug: puppetd: Setting runinterval to ''60''
debug: puppetd: Setting listen to ''false''
debug: puppetd: Setting usecacheonfailure to ''true''
debug: puppetd: Setting puppetdlockfile to
''$statedir/puppetdlock''
debug: puppetd: Setting configtimeout to ''30''
debug: puppetmaster: Setting railslog to ''$logdir/rails.log''
debug: certificates: Setting hostprivkey to
''$privatekeydir/puppet1.abc.net.pem''
debug: certificates: Setting publickeydir to
''$ssldir/public_keys''
debug: certificates: Setting privatekeydir to
''$ssldir/private_keys''
debug: certificates: Setting hostpubkey to
''$publickeydir/puppet1.abc.net.pem''
debug: certificates: Setting privatedir to ''$ssldir/private''
debug: certificates: Setting hostcert to
''$certdir/puppet1.abc.net.pem''
debug: certificates: Setting passfile to
''$privatedir/password''
debug: certificates: Setting localcacert to ''$certdir/ca.pem''
debug: certificates: Setting certdir to ''$ssldir/certs''
debug: ca: Setting cert_inventory to ''$cadir/inventory.txt''
debug: ca: Setting caprivatedir to ''$cadir/private''
debug: ca: Setting ca_md to ''md5''
debug: ca: Setting signeddir to ''$cadir/signed''
debug: ca: Setting csrdir to ''$cadir/requests''
debug: ca: Setting req_bits to ''2048''
debug: ca: Setting capass to ''$caprivatedir/ca.pass''
debug: ca: Setting cadir to ''$ssldir/ca''
debug: ca: Setting keylength to ''1024''
debug: ca: Setting autosign to ''$confdir/autosign.conf''
debug: ca: Setting cacrl to ''$cadir/ca_crl.pem''
debug: ca: Setting ca to ''true''
debug: ca: Setting serial to ''$cadir/serial''
debug: ca: Setting cakey to ''$cadir/ca_key.pem''
debug: ca: Setting capub to ''$cadir/ca_pub.pem''
debug: ca: Setting ca_ttl to ''5y''
debug: ca: Setting cacert to ''$cadir/ca_crt.pem''
debug: fileserver: Setting fileserverconfig to
''$confdir/fileserver.conf''
debug: filebucket: Setting clientbucketdir to
''$vardir/clientbucket''
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/state.yaml]:
Autorequiring File[/var/opt/csw/puppet/state]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/graphs]:
Autorequiring File[/var/opt/csw/puppet/state]
debug: /puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/certs]:
Autorequiring File[/etc/opt/csw/puppet/ssl]
debug: /puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private_keys]:
Autorequiring File[/etc/opt/csw/puppet/ssl]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/log]: Autorequiring
File[/var/opt/csw/puppet]
debug: /puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/public_keys]:
Autorequiring File[/etc/opt/csw/puppet/ssl]
debug: /puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private]:
Autorequiring File[/etc/opt/csw/puppet/ssl]
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private/password]:
Autorequiring File[/etc/opt/csw/puppet/ssl/private]
debug: /puppetconfig/puppet/File[/etc/opt/csw/puppet/namespaceauth.conf]:
Autorequiring File[/etc/opt/csw/puppet]
debug: /puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/certs/ca.pem]:
Autorequiring File[/etc/opt/csw/puppet/ssl/certs]
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/certs/puppet1.abc.net.pem]:
Autorequiring File[/etc/opt/csw/puppet/ssl/certs]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state]: Autorequiring
File[/var/opt/csw/puppet]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/templates]: Autorequiring
File[/var/opt/csw/puppet]
debug: /puppetconfig/puppet/File[/etc/opt/csw/puppet/ssl]: Autorequiring
File[/etc/opt/csw/puppet]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/plugins]: Autorequiring
File[/var/opt/csw/puppet]
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/facts]: Autorequiring
File[/var/opt/csw/puppet]
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private_keys/puppet1.abc.net.pem]:
Autorequiring File[/etc/opt/csw/puppet/ssl/private_keys]
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/public_keys/puppet1.abc.net.pem]:
Autorequiring File[/etc/opt/csw/puppet/ssl/public_keys]
debug: /puppetconfig/puppet/File[/etc/opt/csw/puppet/namespaceauth.conf]: File
does not exist
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private/password]: File
does not exist
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private/password]:
Changing mode
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private/password]: 1
change(s)
debug:
/puppetconfig/certificates/File[/etc/opt/csw/puppet/ssl/private/password]/mode:
File does not exist; cannot set mode
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/state.yaml]: File
does not exist
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/state.yaml]: Changing
mode
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/state.yaml]: 1
change(s)
debug: /puppetconfig/puppet/File[/var/opt/csw/puppet/state/state.yaml]/mode:
File does not exist; cannot set mode
debug: Finishing transaction 69085070 with 2 changes
Triggering puppet2.abc.net
debug: Calling puppetrunner.run
Host puppet2.abc.net failed: Certificates were not trusted: tlsv1 alert unknown
ca
puppet2.abc.net finished with exit code 2
Failed: puppet2.abc.net


thank you,
frank

-- 
Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
Browser-Versionen downloaden: http://www.gmx.net/de/go/browser

On Nov 11, 2007, at 10:31 AM, frank.munsche@gmx.net wrote:
> debug: Calling puppetrunner.run
> Host puppet2.abc.net failed: Certificates were not trusted: tlsv1  
> alert unknown ca
> puppet2.abc.net finished with exit code 2
> Failed: puppet2.abc.net
Are you calling puppetrun as a user who can read the certs of the  
host you''re on?  Usually, this means root.

  --
  True Terror is to wake up one morning and discover that your high
  school class is running the country.     -- Kurt Vonnegut
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Sunday 11 November 2007, Luke Kanies wrote:
> On Nov 11, 2007, at 10:31 AM, frank.munsche@gmx.net wrote:
> > debug: Calling puppetrunner.run
> > Host puppet2.abc.net failed: Certificates were not trusted: tlsv1
> > alert unknown ca
> > puppet2.abc.net finished with exit code 2
> > Failed: puppet2.abc.net
>
> Are you calling puppetrun as a user who can read the certs of the
> host you''re on?  Usually, this means root.
Yes Luke, I did. Called puppetrun as root on the host where puppetmasterd used 
to run. -(

>
>   --
>   True Terror is to wake up one morning and discover that your high
>   school class is running the country.     -- Kurt Vonnegut
>   ---------------------------------------------------------------------
>   Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users

SOLVED.

I forgot to set the FQDN in the /etc/nodename (solaris). Just the short 
hostname has been there. As I''ve rebooted my vitual puppet machines,
the
temp. set FQDN got lost. And the short name doesn''t  match the
certificate.


regards, frank


On Monday 12 November 2007, Frank Munsche wrote:
> On Sunday 11 November 2007, Luke Kanies wrote:
> > On Nov 11, 2007, at 10:31 AM, frank.munsche@gmx.net wrote:
> > > debug: Calling puppetrunner.run
> > > Host puppet2.abc.net failed: Certificates were not trusted: tlsv1
> > > alert unknown ca
> > > puppet2.abc.net finished with exit code 2
> > > Failed: puppet2.abc.net
> >
> > Are you calling puppetrun as a user who can read the certs of the
> > host you''re on?  Usually, this means root.
>
> Yes Luke, I did. Called puppetrun as root on the host where puppetmasterd
> used to run. -(
>
> >   --
> >   True Terror is to wake up one morning and discover that your high
> >   school class is running the country.     -- Kurt Vonnegut
> >  
---------------------------------------------------------------------
> >   Luke Kanies | http://reductivelabs.com | http://madstop.com
> >
> >
> > _______________________________________________
> > Puppet-users mailing list
> > Puppet-users@madstop.com
> > https://mail.madstop.com/mailman/listinfo/puppet-users
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users

On Nov 12, 2007, at 11:12 AM, Frank Munsche wrote:
> SOLVED.
>
> I forgot to set the FQDN in the /etc/nodename (solaris). Just the  
> short
> hostname has been there. As I''ve rebooted my vitual puppet  
> machines, the
> temp. set FQDN got lost. And the short name doesn''t  match the  
> certificate.
You must be using the same new version of ruby that Derek Wheyman  
just posted about, with the certaltnames problem.

  --
  To define recursion, we must first define recursion.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com